Auth0 Home Blog Docs

Important - Auth0 Public Disclosure

announcements

#1

During the past few months, we have been informing you about the deprecation of Auth0 endpoints (usernamepassword/login, /ssodata) that were scheduled to be removed from service on April 1, 2018 (recently extended to July 16, 2018).

The reason for these notifications, as you can read in our blog post below, was that we had discovered two vulnerabilities affecting those endpoints and wanted to provide our customers with sufficient notice and time to migrate to new, more secure endpoints before public disclosure of the vulnerabilities. During this process, our engineering team was able to develop a back-end mitigation which significantly reduced the severity of the vulnerabilities, which allowed us to extend the Removal of Service date. However, we still encourage you to migrate your applications to the latest version of Lock 11 and Auth0.js 9, if you have not already done so.

This update is to inform you that we have publicly announced those vulnerabilities today, in keeping with responsible disclosure best practices. You can read about this in our blog post, or review the published CVEs: CVE-2018-6873, CVE-2018-6874.

Our recommendation to customers is to use Universal Login, (this guide Universal vs Embedded Login explains the pros and cons in more detail). See Migrating from Embedded to Universal here: Migrating to Universal Login 18.

If you need to use Embedded Login, follow the guides below:

For further information, please refer to our blog post and FAQ.



April 1st Migrations / Deprecations FAQ
Can not reach to authentication
Upgrade reminder / changes to deprecation roadmap
#2